<!DOCTYPE html>
<html lang="zh-cn"><head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">

    
    <link href="/css/bootstrap.min.css" rel="stylesheet">
    <link href="/css/main.css" rel="stylesheet">

    <link rel="shortcut icon" type="image/x-icon" href="/img/favicon.ico" />

    <title>通过iptables设置防火墙 | wiseAI的小站</title>
</head><body><div class="container-fluid">
    <nav class="navbar fixed-top navbar-expand-sm navbar-dark bg-dark">
        <div class="container-fluid">
            <a class="navbar-brand" href="/">
                <img src="/img/favicon.ico" alt="" width="30" height="24" class="d-inline-block align-text-top">
                wiseAI的小站
            </a>
            <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
                <span class="navbar-toggler-icon"></span>
            </button>
            <div class="collapse navbar-collapse" id="navbarSupportedContent">
                <ul class="navbar-nav me-auto mb-2 mb-lg-0">
                    
                    <li class="nav-item">
                        <a  class="nav-link"   href="/articles/">文章</a>
                    </li>
                    
                    <li class="nav-item">
                        <a  class="nav-link"   href="/categories/">分类</a>
                    </li>
                    
                    <li class="nav-item">
                        <a  class="nav-link"   href="/tags/">关键字</a>
                    </li>
                    
                    <li class="nav-item">
                        <a  class="nav-link"   href="/post/golang/">golang编程</a>
                    </li>
                    
                    <li class="nav-item">
                        <a  class="nav-link"   href="/about/">关于</a>
                    </li>
                    
                </ul>
                <form class="d-flex">
                    <input id="search-query" class="form-control me-2" type="search" placeholder="Search for anything..." aria-label="Search">
                </form>
            </div>
        </div>
    </nav>
</div>




<div id="content">
<div class="container article">
	<h1>通过iptables设置防火墙</h1>
	<div class="post-meta">
		<div>
			
			
			By wiseai | 2022-05-30 | 2 minutes
		</div>
		<div class="tags">
			
			<a class="btn btn-light links btn-sm" href="/tags/%E9%98%B2%E7%81%AB%E5%A2%99/">防火墙</a>
			
			<a class="btn btn-light links btn-sm" href="/tags/sh/">sh</a>
			
		</div>
	</div>
	<div>
		<div class="article-post">
			<pre tabindex="0"><code>    #!/bin/bash

    PATH=/sbin:/bin:/usr/sbin:/usr/bin

    #设置网卡
    wk=&#34;eth1&#34;

    # 1. 清除规则
    iptables -F
    iptables -X
    iptables -Z

    # 2. 设定政策
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    # 3~5. 制订各项规则
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i $wk -m state --state RELATED,ESTABLISHED -j ACCEPT

    #samba服务
    iptables -A INPUT -i $wk -p tcp --dport 139 -j ACCEPT
    iptables -A INPUT -i $wk -p tcp --dport 445 -j ACCEPT
    iptables -A INPUT -i $wk -p udp --dport 137:138 -j ACCEPT

    #vsftp服务
    iptables -A INPUT -i $wk -p tcp --dport 21 -j ACCEPT
    iptables -A INPUT -i $wk -p tcp --dport 1024:65535 -j ACCEPT
    #iptables -A INPUT -i $wk -s 192.168.1.0/24 -j ACCEPT
</code></pre><p><strong>1.查看防火墙规则</strong></p>
<p><code># iptables [-t tables] [-L] [-nv] </code>
选项与参数：
-t ：后面接table ，例如nat或filter，若省略此项目，则使用预设的filter
-L ：列出目前的table的规则
-n ：不进行IP 与HOSTNAME 的反查，显示速度会快很多！
-v ：列出更多的相关信息</pre></p>
<p><strong>2.清除规则</strong>
<code># iptables [-t tables] [-FXZ] </code>
选项与参数：
-F ：清除所有的已订定的规则；
-X ：杀掉所有使用者&quot;自订&quot; 的chain；
-Z ：将所有的chain 的计数与流量统计都归零</pre></p>
<p><strong>3.定义预设政策(policy)</strong>
<code># iptables [-t nat] -P [INPUT,OUTPUT,FORWARD] [ACCEPT,DROP] </code>
选项与参数：
-P ：定义政策( Policy )。注意，这个P为大写啊！
ACCEPT ：该封包可接受
DROP ：该封包直接丢弃，不会让client 端知道为何被丢弃。</p>
<p>范例：将本机的INPUT设定为DROP ，其他设定为ACCEPT</p>
<pre tabindex="0"><code># iptables -P INPUT DROP 
# iptables -P OUTPUT ACCEPT 
# iptables -P FORWARD ACCEPT 
# iptables -t nat -P PREROUTING ACCEPT
# iptables -t nat -P POSTROUTING ACCEPT
# iptables -t nat -P INPUT ACCEPT
# iptables -t nat -P OUTPUT ACCEPT
</code></pre><p><strong>nat表不用于过滤，所以不能设置为DROP</strong>
<strong>4.定义规则</strong>
<code># iptables [-AI链名] [-io网络界面] [-p协议] [-s来源IP/网域] [-sport 端口范围] [-d目标IP/网域] [-dport 端口范围] -j [ACCEPT'DROP'REJECT'LOG] </code>
选项与参数：</p>
<pre tabindex="0"><code>-AI链名：规则的&#34;插入&#34;或&#34;增加&#34;
-A：新增加一条规则，该规则增加在原本规则的最后面。例如原本已经有四条规则，使用-A就可以加上第五条规则！
-I：插入一条规则。如果没有指定此规则的顺序，预设是插入变成第一条规则。
例如原本有四条规则，使用-I则该规则变成第一条，而原本四条变成2~5号
链：有INPUT，OUTPUT，FORWARD等，此链名称又与-io有关，请看底下。
-io网卡：设定封包进出的规范
-i：封包所进入的那个网卡，例如eth0，lo等网卡。需与INPUT链配合；
-o：封包所传出的那个网卡，需与OUTPUT链配合；
-p协议：设定此规则适用于哪种封包格式
主要的封包格式有：tcp，udp，icmp及all。
-s来源IP/网域：设定此规则之封包的来源项目，可指定单纯的IP或包括网域，例如：
IP :192.168.0.100
网域：192.168.0.0/24，192.168.0.0/255.255.255.0均可。
若规范为『不许』时，则加上！即可，例如：
-s！192.168.100.0/24表示不许192.168.100.0/24封包来源；
-d目标IP/网域：同-s，只不过这里指的是目标的IP或网域。
--sport 来源端口范围。例如 1024:65535 
--dport 目标端口范围
-j：后面接动作，主要的动作有接受（ACCEPT）、丢弃（DROP）、拒绝（REJECT）及记录（LOG） 
</code></pre><p><code># iptables -A INPUT [-m state] [--state状态]  </code>
选项与参数：</p>
<pre tabindex="0"><code>-m：一些iptables的外挂模块，主要常见的有：  
          state：状态模块  
          mac：网络卡硬件地址（hardware address）  
--state：一些封包的状态，主要有：  
         INVALID：无效的封包，例如数据破损的封包状态  
        ESTABLISHED：已经联机成功的联机状态；  
        NEW：想要新建立联机的封包状态；  
       RELATED：这个最常用！表示这个封包是与我们主机发送出去的封包有关  
</code></pre><p>例：只要已建立或相关封包就予以通过，只要是不合法封包就丢弃 <br>
<code># iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  </code>
<code># iptables -A INPUT -m state --state INVALID -j DROP</code>
对MAC地址为aa:bb:cc:dd:ee:ff主机开放其连接
<code># iptables -A INPUT -m mac --mac-source aa:bb:cc:dd :ee:ff -j ACCEPT </code>
选项与参数：</p>
<pre tabindex="0"><code>--mac-source ：就是来源主机的MAC
</code></pre><p><strong>ICMP 封包规则：针对是否回应ping 来设计</strong></p>
<p>通常我们会把ICMP type 8 (echo request)去掉而已，让远端主机不知道我们是否存在，也不会接受ping的回应。
<code># iptables -A INPUT [-p icmp] [--icmp-type类型] -j ACCEPT </code>
选项与参数：</p>
<pre tabindex="0"><code>--icmp-type ：后面必须要接ICMP 的封包类型，也可以使用代号，
              例如8 代表echo request 的意思。
</code></pre><p>例：让0,3,4,11,12,14,16,18的ICMP type可以进入本机：</p>
<pre tabindex="0"><code>#!/bin/bash 
icmp_type=&#34;0 3 4 11 12 14 16 18&#34; 
for typeicmp in $icmp_type 
do 
    iptables -A INPUT -i eth0 -p icmp --icmp-type $typeicmp -j ACCEPT 
done
</code></pre>
		</div>
	</div>
</div>


<div class="container">
    
    <div class="row">
        
        <div class="col-5">
            <a class="page-link link-dark text-end dh" href="/post/footnote/">
                <h5>前一篇</h5><br>
                Footnote test
            </a>            
        </div>
        
        <div class="col-2">
        </div>
        
        <div class="col-5">
            <a class="page-link link-dark text-start dh" href="/post/linux%E6%9B%B4%E6%8D%A2%E7%BD%91%E5%8D%A1%E5%90%8E%E7%BD%91%E7%BB%9C%E6%9C%8D%E5%8A%A1%E4%B8%8D%E8%83%BD%E5%90%AF%E5%8A%A8%E7%9A%84%E9%97%AE%E9%A2%98%E8%A7%A3%E5%86%B3%E5%8A%9E%E6%B3%95/">
                <h5>后一篇</h5><br>
                Linux更换网卡后网络服务不能启动的问题解决办法
            </a>            
        </div>
        
    </div>
    
</div>

        </div><br><br>
<footer class="container">
    <h2>友情链接</h2>
    <hr>
    <nav class="nav nav-pills flex-column flex-sm-row">
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://wiseai.gitee.io/pages/gnzg/index.html" target="_blank">孤鸟之歌</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://wiseai.gitee.io/pages/mm/index.html" target="_blank">生成随机字符</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://wiseai.gitee.io/pages/md/index.html" target="_blank">MarkDown</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://gitee.com/" target="_blank">Gitee</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://github.com/" target="_blank">Github</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.aliyun.com/" target="_blank">阿里云</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://cloud.tencent.com/" target="_blank">腾讯云</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.oschina.net/" target="_blank">OSCHINA开源中国</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://gitee.com/wiseai/the-way-to-go_ZH_CN/blob/master/eBook/directory.md" target="_blank">the way to go</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://topgoer.com/" target="_blank">golang文档</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://goframe.org/display/gf" target="_blank">GoFrame</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.aliyundrive.com/" target="_blank">阿里云盘</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://cn.vuejs.org/" target="_blank">vue3文档</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://element-plus.gitee.io/zh-CN/" target="_blank">element-plus文档</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.runoob.com/vue3/vue3-tutorial.html" target="_blank">vue3菜鸟教程</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://v5.bootcss.com/" target="_blank">bootstrap v5 中文文档</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.bootstrap.cn/" target="_blank">bootstrap文档</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://caddy2.dengxiaolong.com/docs/" target="_blank">caddy中文教程</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.58pic.com/" target="_blank">千图</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://ifonts.com/" target="_blank">iFonts</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://marketing.qiniu.com/" target="_blank">七牛云</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.ixigua.com/" target="_blank">西瓜视频</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://wiseai.gitee.io/pages/yugang/index.html" target="_blank">鱼缸计算</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://justcc.mengkang.net/#/" target="_blank">C语言JustCC</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://wiseai.gitee.io/pages/pptist/" target="_blank">PPTist</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="/index.xml" target="_blank">RSS</a>
        
        <a class="flex-sm-fill text-sm-center nav-link links link-dark" href="https://www.kancloud.cn/idcpj/python/418553" target="_blank">参考资料</a>
        
    </nav>

    <div class="copyright text-center">
      <span class="power-by">
        Powered by <a class="links" href="https://gohugo.io" target="_blank">Hugo</a>
    </span>
    <span>|</span>
    <span>
        Theme - <a class="links" href="https://github.com/wiseai-go/blog-hugo" target="_blank">WiseAI</a>
    </span>
    <br>
    <span class="copyright-year">
        &copy;
        
        2017 -
        2023<span>
            陇ICP备15000157号
            
        </span></span>

</div>
</footer>
<script src="/js/bootstrap.bundle.min.js"></script>


</body>
</html>
